Access Gateway native logon option explained

The SSL VPN offered by NetScaler Access Gateway utilizes the systems web browser for logon to the network.

This brings certain advantages, for instance the possibility to logon can be made depending on the result of endpoint security checks, it offers a way to deploy the VPN client to users who haven’t installed it yet and allows for integration with NetScaler’s own or internal web portals to be displayed for users who successfully established a tunnel.

There are however circumstances where this feature isn’t necessary for a particular environment or use case. A while back I was approached by one of our customers to explain how the display of the native logon form can be displayed for all users per default or even deployed in that way automatically, without the web browser as user interface for the VPN client .

The below screenshot shows how it looks like. The displayed input fields can be altered, a combination of password and token authentication is possible the very same way as with the web browser being the user interface.

The configuration for this way of user logon is done in the VPN profile of the Secure Access Client. In the options of your VPN connection (check the tray icon) you have the possibility to change your profile. The setting responsible for the logon form, is on the “Options” tab. The checkbox titled “Use the Access Gateway Plug-in for logon” needs to be checked in order to have the native logon form coming up on the screen the next time you want to connect with the client.

While this isn’t very new to many of you and furthermore it’s documented already at other places, my client wanted something, which isn’t documented anywhere. He needed to auto-deploy the Access Gateway plug-in to new machines and didn’t want the users to go through the dialogues to change the default behavior on their own. Hence we needed to set the logon option manually to have the native logon form available from first use on.

As described before, the setting is part of the clients VPN profile. This is not stored in the clients registry but in an ini file within the users %APPDATA% folder. So on my machine for instance, the file resides here:

C:\Users\David\AppData\Local\Citrix\AGEE\ns1profile.ini

It contains in my case a few lines of options from which “native login” is the one we’re after:

[global]
current user=David
[David]
native login=0

What does 0 mean in this case?

native logon=0: the web browser acts as user interface (default)
native logon=1: the native logon form is used as interface to connect to the VPN.

As it’s just a text file with a few lines of options, auto-deployment of these settings can be done in various ways (MSI package etc.)

My client however was still not satisfied with the look and feel of the client and asked for something more flexible and extensible (e.g. running certain programs depending on the tunnel being up or not). In order to accomplish that, it became obvious that I had to reconnect with the long lost developer in me and utilize the client API of Access Gateway. Since this isn’t really documented anywhere, a separate blog article covers that topic in more detail (Access Gateway client API library)